Ask Your Question
0

wireshark 2.4.6 cannot decode ssl application data

asked 2018-04-17 11:40:07 +0000

haoqingchuan gravatar image

updated 2018-04-17 11:53:50 +0000

grahamb gravatar image

I added private key, and the private key works fun because it lookup the right keyID.

ssl_association_remove removing UDP 6443 - handle 0x141e987b0
KeyID[20]:
| 2d c8 af 7b 07 5a fa b9 25 69 a6 1b 86 11 52 eb |-..{.Z..%i....R.|
| e3 36 8d d5                                     |.6..            |

Calculating hash with offset 68 1181
lookup(KeyID)[20]:
| 2d c8 af 7b 07 5a fa b9 25 69 a6 1b 86 11 52 eb |-..{.Z..%i....R.|
| e3 36 8d d5                                     |.6..            |

But wireshark still cannot decode application data, here is the related debug info

dissect_ssl enter frame #587 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x148de6370, ssl_session = 0x148de6de0
  record: offset = 0, reported_length_remaining = 160
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 155, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 151 bytes, remaining 160
Calculating hash with offset 5 155
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #589 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x148de6370, ssl_session = 0x148de6de0
  record: offset = 0, reported_length_remaining = 1669
ssl_try_set_version found version 0x0303 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 58, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
ssl_try_set_version found version 0x0303 -> state 0x11
Calculating hash with offset 5 58
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_set_cipher found CIPHER 0xC02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -> state 0x17
ssl_dissect_hnd_hello_ext_alpn: changing handle 0x0 to 0x141e98d30 (http2)ssl_load_keyfile dtls/ssl.keylog_file is not configured!
tls13_change_key TLS version 0x303 is not 1.3
tls13_change_key TLS version 0x303 is not 1.3
  record: offset = 63, reported_length_remaining = 1606
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 1181, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 68 length 1177 bytes, remaining 1249
Calculating hash with offset 68 1181
lookup(KeyID)[20]:
| 2d c8 af 7b 07 5a fa b9 25 69 a6 1b 86 11 52 eb |-..{.Z..%i....R.|
| e3 36 8d d5                                     |.6..            |
ssl_find_private_key_by_pubkey: lookup result: 0x7fb883e5e000
  record: offset = 1249, reported_length_remaining = 420
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 300, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 1254 length 296 bytes, remaining 1554
Calculating hash with offset 1254 300
  record: offset = 1554, reported_length_remaining = 115
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 101, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 13 offset 1559 length 97 bytes, remaining 1660
Calculating hash with offset 1559 101
  record: offset = 1660, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 4, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 1665 length 0 bytes, remaining 1669
Calculating hash wit ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-04-20 14:27:32 +0000

Lekensteyn gravatar image

updated 2018-04-20 14:35:40 +0000

grahamb gravatar image

RSA private key files only work with the RSA key exchange method, but your session uses an ephemeral Diffie-Hellman key exchange (based on elliptic curves):

ssl_set_cipher found CIPHER 0xC02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -> state 0x17

For the background details, see my SharkFest '18 ASIA talk, SSL/TLS Decryption: uncovering secrets:

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-04-17 11:40:07 +0000

Seen: 765 times

Last updated: Apr 20 '18